General
-
Target
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e
-
Size
620KB
-
Sample
220725-hb5rksahcn
-
MD5
5f685fae5cf582995387f342f60b5e23
-
SHA1
f99aa09d283e441e42edb46ae48c58f6ac8011ce
-
SHA256
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e
-
SHA512
dc3793c5699e53ccb818787b5f60d866e1a4ab78ac08a0ba0e53db6a3810dfb829f67bf372acf54dcde768d8a7ae9434a213fd7391605b65e4290df5cb5b6ce5
Static task
static1
Behavioral task
behavioral1
Sample
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3762437355-3468409815-1164039494-1000\Recovery+pbccn.txt
http://ert54nfh6hdshbw4f.nursespelk.com/BF8030705537E860
http://kk4dshfjn45tsnkdf34fg.tatiejava.at/BF8030705537E860
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/BF8030705537E860
http://fwgrhsao3aoml7ej.onion/BF8030705537E860
Extracted
C:\$Recycle.Bin\S-1-5-21-2660308776-3705150086-26593515-1000\Recovery+hvefa.txt
http://ert54nfh6hdshbw4f.nursespelk.com/8FA12DEEBE8A2E6
http://kk4dshfjn45tsnkdf34fg.tatiejava.at/8FA12DEEBE8A2E6
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/8FA12DEEBE8A2E6
http://fwgrhsao3aoml7ej.onion/8FA12DEEBE8A2E6
Targets
-
-
Target
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e
-
Size
620KB
-
MD5
5f685fae5cf582995387f342f60b5e23
-
SHA1
f99aa09d283e441e42edb46ae48c58f6ac8011ce
-
SHA256
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e
-
SHA512
dc3793c5699e53ccb818787b5f60d866e1a4ab78ac08a0ba0e53db6a3810dfb829f67bf372acf54dcde768d8a7ae9434a213fd7391605b65e4290df5cb5b6ce5
Score10/10-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-